CVE-2025-4603 Overview
CVE-2025-4603 is an arbitrary file deletion vulnerability in the eMagicOne Store Manager for WooCommerce plugin for WordPress. The flaw exists in the delete_file() function, which fails to properly validate user-supplied file paths. All plugin versions up to and including 1.2.5 are affected.
Unauthenticated attackers can delete arbitrary files on the underlying server when the plugin is left with its default credentials of 1:1, or when an attacker otherwise obtains the credentials. Deleting sensitive files such as wp-config.php can trigger WordPress reinstallation flows, enabling remote code execution. The weakness is tracked as [CWE-73: External Control of File Name or Path].
Critical Impact
Unauthenticated attackers can delete wp-config.php and other server files, leading to site takeover and remote code execution.
Affected Products
- eMagicOne Store Manager for WooCommerce plugin for WordPress
- All versions up to and including 1.2.5
- WordPress sites running the plugin with default credentials (1:1)
Discovery Timeline
- 2025-05-24 - CVE-2025-4603 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2025-4603
Vulnerability Analysis
The eMagicOne Store Manager for WooCommerce plugin exposes a connector endpoint that accepts file management commands from the desktop Store Manager client. The delete_file() function processes a file path supplied in the request and removes the corresponding file from disk. The function does not constrain the path to the plugin's working directory and does not validate against path traversal sequences.
An unauthenticated attacker who can reach the connector endpoint can request deletion of any file the web server user can write to. Removing wp-config.php causes WordPress to display its initial setup wizard on the next request. The attacker can then point WordPress at an attacker-controlled database, create an administrator account, and upload a malicious plugin or theme to gain remote code execution.
Exploitation requires either the default authentication pair 1:1 or knowledge of the configured credentials. Many installations retain the default value, which makes the issue effectively unauthenticated in real-world deployments. See the Wordfence Vulnerability Intel Report and the Ryan Kozak CVE Analysis for further technical detail.
Root Cause
The root cause is insufficient file path validation in the delete_file() function. The plugin trusts client-supplied paths without normalizing them or enforcing a base directory restriction. Combined with a static default credential pair, the design permits arbitrary filesystem operations from the network.
Attack Vector
The attack vector is network-based. An attacker sends a crafted HTTP request to the plugin's connector entry point with the default or known credentials and a target path. Reference implementations are visible in the plugin source on the WordPress trac and a public proof-of-concept repository.
No verified exploitation code is reproduced here. The vulnerability is described in prose; consult the linked references for technical specifics.
Detection Methods for CVE-2025-4603
Indicators of Compromise
- HTTP POST requests to the eMagicOne Store Manager Connector endpoint (smconnector.php) from unexpected source IPs
- Requests containing path traversal sequences such as ../ in file or path parameters
- Unexpected deletion or absence of wp-config.php, followed by appearance of the WordPress installation wizard at /wp-admin/install.php
- Creation of new WordPress administrator accounts shortly after connector activity
- New or modified plugin and theme files in wp-content/ following connector traffic
Detection Strategies
- Inspect web server logs for requests to smconnector.php that include file path or deletion parameters
- Alert on authentication attempts to the connector using the default credential pair 1:1
- Monitor filesystem integrity for wp-config.php and other root-level WordPress files
- Correlate connector traffic with subsequent administrator account creation events in the WordPress database
Monitoring Recommendations
- Enable WordPress audit logging and forward events to a central SIEM for correlation
- Track file integrity baselines for the WordPress document root and key configuration files
- Apply web application firewall rules that block path traversal patterns targeting plugin endpoints
How to Mitigate CVE-2025-4603
Immediate Actions Required
- Update the eMagicOne Store Manager for WooCommerce plugin to a version newer than 1.2.5 once available, per the WordPress changeset 3308544
- If a patched version is not yet deployed, deactivate and remove the plugin from all WordPress installations
- Change the connector credentials away from the default 1:1 pair to a strong, unique value
- Restrict access to smconnector.php to known administrative IP addresses at the web server or firewall layer
Patch Information
The vulnerability is addressed in code committed in WordPress plugin changeset 3308544. Administrators should verify their installed version is greater than 1.2.5 and confirm the plugin source reflects the patched delete_file() logic.
Workarounds
- Block external requests to the connector endpoint using .htaccess or equivalent web server access controls
- Deploy a web application firewall rule that filters path traversal payloads against plugin endpoints
- Audit and replace any installation still using the default 1:1 connector credentials
- Restore wp-config.php from backup and review for unauthorized administrator accounts if deletion is detected
# Example Apache rule to restrict access to the connector endpoint
<Files "smconnector.php">
Require ip 203.0.113.0/24
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
